Skip to content

OIDC error with reusable workflows #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GergelyKalmar opened this issue May 4, 2023 · 2 comments
Closed

OIDC error with reusable workflows #154

GergelyKalmar opened this issue May 4, 2023 · 2 comments
Labels
question Further information is requested

Comments

@GergelyKalmar
Copy link

GergelyKalmar commented May 4, 2023
edited
Loading

When trying to use gh-action-pypi-publish with trusted publishing within a reusable workflow, I get the following error:

...
Notice: Attempting to perform trusted publishing exchange to retrieve a temporary short-lived API token for authentication against https://upload.pypi.org/legacy/ due to __token__ username with no supplied password field
Error: Trusted publishing exchange failure: 
Token request failed: the server refused the request for the following reasons:

* `invalid-publisher`: valid token, but no corresponding publisher

The relevant parts of the reusable workflow file are here: https://github.com/logikal-io/github-workflows/blob/main/.github/workflows/publish-release.yml#L128

The calling workflow is here: https://github.com/logikal-io/pytest-logikal/blob/main/.github/workflows/publish-release.yml

I tried it with a trusted publisher set up for both repositories with and also without an environment, none worked:

Publisher | Repository | Workflow | Environment name |  
GitHub | logikal-io/pytest-logikal | publish-release.yml | release |  
GitHub | logikal-io/github-workflows | publish-release.yml | release |  
GitHub | logikal-io/pytest-logikal | publish-release.yml | (Any) |  
GitHub | logikal-io/github-workflows | publish-release.yml | (Any)

I'm wondering if reusable workflows are supported at all or if there's a plan to support them in the future.
@webknjaz
Copy link
Member

webknjaz commented May 4, 2023

Hi @GergelyKalmar, it sounds like you're mixing up two different concepts here. There are composite actions and reusable workflows. But there is no such thing as composite workflows.

You're using reusable workflows in your repository. They are currently unsupported on the PyPI side and I believe this feature is tracked in the warehouse repository. Once implemented, it should work without any changes on the action side. @woodruffw or @di have better understanding of the details and blockers.
I'm going to close this issue since there's no action items on our side at the moment.

P.S. I'm also eager to start using this with reusable workflows but we're not there yet, unfortunately. For now, you'll have to copy the job around.

@webknjaz webknjaz closed this as not planned Won't fix, can't repro, duplicate, stale May 4, 2023
@webknjaz webknjaz added the question Further information is requested label May 4, 2023
@GergelyKalmar GergelyKalmar changed the title OIDC error with composite workflows OIDC error with reusable workflows May 5, 2023
@GergelyKalmar
Copy link
Author

You're right, I wasn't sure if this is an issue with the action or with the OIDC implementation itself. Seems like it is the latter and it is indeed tracked at pypi/warehouse#11096.

I've also fixed the terminology so others may find this issue in the future when searching.

@ryanblock ryanblock mentioned this issue Aug 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webknjaz @GergelyKalmar